|
@@ -73,6 +73,7 @@ use OC\Share20\Hooks;
|
|
|
use OCP\EventDispatcher\IEventDispatcher;
|
|
|
use OCP\Group\Events\UserRemovedEvent;
|
|
|
use OCP\ILogger;
|
|
|
+use OCP\IRequest;
|
|
|
use OCP\IURLGenerator;
|
|
|
use OCP\IUserSession;
|
|
|
use OCP\Server;
|
|
@@ -408,7 +409,16 @@ class OC {
|
|
|
}
|
|
|
|
|
|
public static function initSession(): void {
|
|
|
- if (Server::get(\OCP\IRequest::class)->getServerProtocol() === 'https') {
|
|
|
+ $request = Server::get(IRequest::class);
|
|
|
+ $isDavRequest = strpos($request->getRequestUri(), '/remote.php/dav') === 0 || strpos($request->getRequestUri(), '/remote.php/webdav') === 0;
|
|
|
+ if ($request->getHeader('Authorization') !== '' && is_null($request->getCookie('cookie_test')) && $isDavRequest) {
|
|
|
+ setcookie('cookie_test', 'test', time() + 3600);
|
|
|
+ // Do not initialize the session if a request is authenticated directly
|
|
|
+ // unless there is a session cookie already sent along
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ if ($request->getServerProtocol() === 'https') {
|
|
|
ini_set('session.cookie_secure', 'true');
|
|
|
}
|
|
|
|
|
@@ -516,7 +526,7 @@ class OC {
|
|
|
* also we can't directly interfere with PHP's session mechanism.
|
|
|
*/
|
|
|
private static function performSameSiteCookieProtection(\OCP\IConfig $config): void {
|
|
|
- $request = Server::get(\OCP\IRequest::class);
|
|
|
+ $request = Server::get(IRequest::class);
|
|
|
|
|
|
// Some user agents are notorious and don't really properly follow HTTP
|
|
|
// specifications. For those, have an automated opt-out. Since the protection
|
|
@@ -778,7 +788,7 @@ class OC {
|
|
|
return;
|
|
|
}
|
|
|
|
|
|
- $request = Server::get(\OCP\IRequest::class);
|
|
|
+ $request = Server::get(IRequest::class);
|
|
|
$host = $request->getInsecureServerHost();
|
|
|
/**
|
|
|
* if the host passed in headers isn't trusted
|
|
@@ -840,7 +850,7 @@ class OC {
|
|
|
if (!defined('PHPUNIT_RUN') && $userSession->isLoggedIn()) {
|
|
|
// reset brute force delay for this IP address and username
|
|
|
$uid = $userSession->getUser()->getUID();
|
|
|
- $request = Server::get(\OCP\IRequest::class);
|
|
|
+ $request = Server::get(IRequest::class);
|
|
|
$throttler = Server::get(\OC\Security\Bruteforce\Throttler::class);
|
|
|
$throttler->resetDelay($request->getRemoteAddress(), 'login', ['user' => $uid]);
|
|
|
}
|
|
@@ -970,7 +980,7 @@ class OC {
|
|
|
exit();
|
|
|
}
|
|
|
|
|
|
- $request = Server::get(\OCP\IRequest::class);
|
|
|
+ $request = Server::get(IRequest::class);
|
|
|
$requestPath = $request->getRawPathInfo();
|
|
|
if ($requestPath === '/heartbeat') {
|
|
|
return;
|